Merge branch 'main' into redsun82/update-rules-kotlin

Author: redsun82

.github/dependabot.yml

@@ -45,3 +45,5 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+    exclude-paths:
+      - "misc/bazel/registry/**"

MODULE.bazel

@@ -15,23 +15,23 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "rules_cc", version = "0.2.16")
-bazel_dep(name = "rules_go", version = "0.59.0")
+bazel_dep(name = "rules_cc", version = "0.2.17")
+bazel_dep(name = "rules_go", version = "0.60.0")
 bazel_dep(name = "rules_java", version = "9.0.3")
-bazel_dep(name = "rules_pkg", version = "1.0.1")
+bazel_dep(name = "rules_pkg", version = "1.2.0")
 bazel_dep(name = "rules_nodejs", version = "6.7.3")
-bazel_dep(name = "rules_python", version = "0.40.0")
-bazel_dep(name = "rules_shell", version = "0.5.0")
+bazel_dep(name = "rules_python", version = "1.9.0")
+bazel_dep(name = "rules_shell", version = "0.6.1")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
-bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
+bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
 bazel_dep(name = "rules_kotlin", version = "2.3.10.codeql.1")
 bazel_dep(name = "gazelle", version = "0.47.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
-bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.68.1.codeql.1")
-bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
+bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
+bazel_dep(name = "rules_rust", version = "0.69.0")
+bazel_dep(name = "zstd", version = "1.5.7.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 

config/add-overlay-annotations.py

@@ -199,6 +199,7 @@ def annotate_as_appropriate(filename, lines):
     # as overlay[local?].  It is not clear that these heuristics are exactly what we want,
     # but they seem to work well enough for now (as determined by speed and accuracy numbers).
     if (filename.endswith("Test.qll") or
+        re.search(r"go/ql/lib/semmle/go/security/[^/]+[.]qll$", filename.replace(os.sep, "/")) or
         ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
          any("implements DataFlow::ConfigSig" in line for line in lines))):
         return None

config/identical-files.json

@@ -172,10 +172,6 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
-  "C# ControlFlowReachability": [
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
-  ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
     "cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -524,6 +524,12 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
       not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
     )
   }
+
+  /**
+   * Holds if this function has an ambiguous return type, meaning that zero or multiple return
+   * types for this function are present in the database (this can occur in `build-mode: none`).
+   */
+  predicate hasAmbiguousReturnType() { count(this.getType()) != 1 }
 }
 
 pragma[noinline]

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -1663,7 +1663,7 @@ private module Cached {
   private predicate compares_ge(
     ValueNumber test, Operand left, Operand right, int k, boolean isGe, GuardValue value
   ) {
-    exists(int onemk | k = 1 - onemk | compares_lt(test, right, left, onemk, isGe, value))
+    compares_lt(test, right, left, 1 - k, isGe, value)
   }
 
   /** Rearrange various simple comparisons into `left < right + k` form. */

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -353,12 +353,26 @@ module CsvValidation {
     )
   }
 
+  private string getIncorrectConstructorSummaryOutput() {
+    exists(string namespace, string type, string name, string output |
+      type = name or
+      type = name + "<" + any(string s)
+    |
+      summaryModel(namespace, type, _, name, _, _, _, output, _, _, _) and
+      output.matches("ReturnValue%") and
+      result =
+        "Constructor model for " + namespace + "." + type +
+          " should use `Argument[this]` in the output, not `ReturnValue`."
+    )
+  }
+
   /** Holds if some row in a CSV-based flow model appears to contain typos. */
   query predicate invalidModelRow(string msg) {
     msg =
       [
         getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
-        getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind()
+        getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind(),
+        getIncorrectConstructorSummaryOutput()
       ]
   }
 }

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -6,117 +6,67 @@ private import OverlayXml
 
 /**
  * Holds always for the overlay variant and never for the base variant.
- * This local predicate is used to define local predicates that behave
- * differently for the base and overlay variant.
  */
 overlay[local]
 predicate isOverlay() { databaseMetadata("isOverlay", "true") }
 
-overlay[local]
-private string getLocationFilePath(@location_default loc) {
-  exists(@file file | locations_default(loc, file, _, _, _, _) | files(file, result))
-}
-
-/**
- * Gets the file path for an element with a single location.
- */
-overlay[local]
-private string getSingleLocationFilePath(@element e) {
-  exists(@location_default loc |
-    var_decls(e, _, _, _, loc)
-    or
-    fun_decls(e, _, _, _, loc)
-    or
-    type_decls(e, _, loc)
-    or
-    namespace_decls(e, _, loc, _)
-    or
-    macroinvocations(e, _, loc, _)
-    or
-    preprocdirects(e, _, loc)
-    or
-    diagnostics(e, _, _, _, _, loc)
-    or
-    usings(e, _, loc, _)
-    or
-    static_asserts(e, _, _, loc, _)
-    or
-    derivations(e, _, _, _, loc)
-    or
-    frienddecls(e, _, _, loc)
-    or
-    comments(e, _, loc)
-    or
-    exprs(e, _, loc)
-    or
-    stmts(e, _, loc)
-    or
-    initialisers(e, _, _, loc)
-    or
-    attributes(e, _, _, _, loc)
-    or
-    attribute_args(e, _, _, _, loc)
-    or
-    namequalifiers(e, _, _, loc)
-    or
-    enumconstants(e, _, _, _, _, loc)
-    or
-    type_mentions(e, _, loc, _)
-    or
-    lambda_capture(e, _, _, _, _, _, loc)
-    or
-    concept_templates(e, _, loc)
-  |
-    result = getLocationFilePath(loc)
-  )
-}
-
 /**
- * Gets the file path for an element with potentially multiple locations.
+ * Holds if the TRAP file or tag `t` is reachable from source file `sourceFile`
+ * in the base (isOverlayVariant=false) or overlay (isOverlayVariant=true) variant.
  */
 overlay[local]
-private string getMultiLocationFilePath(@element e) {
-  exists(@location_default loc |
-    var_decls(_, e, _, _, loc)
-    or
-    fun_decls(_, e, _, _, loc)
-    or
-    type_decls(_, e, loc)
-    or
-    namespace_decls(_, e, loc, _)
-  |
-    result = getLocationFilePath(loc)
+private predicate locallyReachableTrapOrTag(
+  boolean isOverlayVariant, string sourceFile, @trap_or_tag t
+) {
+  exists(@source_file sf, @trap trap |
+    (if isOverlay() then isOverlayVariant = true else isOverlayVariant = false) and
+    source_file_uses_trap(sf, trap) and
+    source_file_name(sf, sourceFile) and
+    (t = trap or trap_uses_tag(trap, t))
   )
 }
 
 /**
- * A local helper predicate that holds in the base variant and never in the
- * overlay variant.
- */
-overlay[local]
-private predicate isBase() { not isOverlay() }
-
-/**
- * Holds if `path` was extracted in the overlay database.
+ * Holds if element `e` is in TRAP file or tag `t`
+ * in the base (isOverlayVariant=false) or overlay (isOverlayVariant=true) variant.
  */
 overlay[local]
-private predicate overlayHasFile(string path) {
-  isOverlay() and
-  files(_, path) and
-  path != ""
+private predicate locallyInTrapOrTag(boolean isOverlayVariant, @element e, @trap_or_tag t) {
+  (if isOverlay() then isOverlayVariant = true else isOverlayVariant = false) and
+  in_trap_or_tag(e, t)
 }
 
 /**
  * Discards an element from the base variant if:
- * - It has a single location in a file extracted in the overlay, or
- * - All of its locations are in files extracted in the overlay.
+ * - We have knowledge about what TRAP file or tag it is in (in the base).
+ * - It is not in any overlay TRAP file or tag that is reachable from an overlay source file.
+ * - For every base TRAP file or tag that contains it and is reachable from a base source file,
+ *   either the source file has changed, or the overlay has redefined the TRAP file or tag,
+ *   or the overlay runner has re-extracted the same source file.
  */
 overlay[discard_entity]
 private predicate discardElement(@element e) {
-  isBase() and
-  (
-    overlayHasFile(getSingleLocationFilePath(e))
-    or
-    forex(string path | path = getMultiLocationFilePath(e) | overlayHasFile(path))
+  // If we don't have any knowledge about what TRAP file something
+  // is in, then we don't want to discard it, so we only consider
+  // entities that are known to be in a base TRAP file or tag.
+  locallyInTrapOrTag(false, e, _) and
+  // Anything that is reachable from an overlay source file should
+  // not be discarded.
+  not exists(@trap_or_tag t | locallyInTrapOrTag(true, e, t) |
+    locallyReachableTrapOrTag(true, _, t)
+  ) and
+  // Finally, we have to make sure the base variant does not retain it.
+  // If it is reachable from a base source file, then that is
+  // sufficient unless either the base source file has changed (in
+  // particular, been deleted), or the overlay has redefined the TRAP
+  // file or tag it is in, or the overlay runner has re-extracted the same
+  // source file (e.g. because a header it includes has changed).
+  forall(@trap_or_tag t, string sourceFile |
+    locallyInTrapOrTag(false, e, t) and
+    locallyReachableTrapOrTag(false, sourceFile, t)
+  |
+    overlayChangedFiles(sourceFile) or
+    locallyReachableTrapOrTag(true, _, t) or
+    locallyReachableTrapOrTag(true, sourceFile, _)
   )
 }

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -218,7 +218,9 @@ where
   // only report if we cannot prove that the result of the
   // multiplication will be less (resp. greater) than the
   // maximum (resp. minimum) number we can compute.
-  overflows(me, t1)
+  overflows(me, t1) and
+  // exclude cases where the expression type may not have been extracted accurately
+  not me.getParent().(Call).getTarget().hasAmbiguousReturnType()
 select me,
   "Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '"
     + me.getFullyConverted().getType().toString() + "'."

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -168,9 +168,11 @@ where
     formatOtherArgType(ffc, n, expected, arg, actual) and
     not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
   ) and
+  // Exclude some cases where we're less confident the result is correct / clear / valuable
   not arg.isAffectedByMacro() and
   not arg.isFromUninstantiatedTemplate(_) and
   not actual.stripType() instanceof ErroneousType and
+  not arg.getType().stripType().(RoutineType).getReturnType() instanceof ErroneousType and
   not arg.(Call).mayBeFromImplicitlyDeclaredFunction() and
   // Make sure that the format function definition is consistent
   count(ffc.getTarget().getFormatParameterIndex()) = 1